The average PC user does not need access to the entire Internet. The more they have access to the more potential sources of security issues. Consider that many high profile crime syndicates operate out of the APNIC, what if the average user could just turn off that entire address space from his computer with a click of the mouse? Imagine being able to open up a window and just select the Regional Internet Registry zones that you have a need to access from the selections below:

Regional Internet Registry zones - Image Credit Arin.net

In an “advance mode” you could choose to drill down farther and pick other locales within the zones. For example perhaps you need access to only Japan, Australia and India but want to limit exposure to hosts in China and other ACPNIC countries. Lazy users could just subscribe to “recommended” settings for their region based on levels of security desired.

Why bother?

There are several very good reasons why this approach can contribute to making end users more secure but more importantly make it more difficult for internet criminals and countries that harbor them. This idea actually came to me as a result of writing an article about the RSA hack that resulted in a re-issue of all of their secure-ID products. I learned that the host that the Poison Ivy malware had contacted was a known source in other attacks.

Why was RSA allowing traffic to communicate with a known malicious host?

The host in the RSA hack was located in APNIC, again a zone that the average user does not need access to and probably would not even miss. In this example the attack would have failed and if the criminal was determined they would have to find another way creating more risk for them (of detection) and having to work harder at it. Potentially becoming discouraged and finding something more lucrative to do with their time (with a little luck something legal). As to the governments that allow these sites to function within their borders, they will drive themselves into further isolation. There are few nations in the world that would not be bothered by significant volumes of users bypassing sites in their country.

Corporate and Government Applications

This technology could quite easily be adapted to corporate use, centrally managed and even include a dynamic black list of emerging dangerous addresses. Say for example that a particularly nasty virus was spreading through the internet; most malicious apps have to phone home somewhere (to get instructions, etc). Push that out to the blacklist for millions of users and you have millions of users that even if they do get infected the command and control is effectively cut off instantly.

What would happen when you try to access a site in the blocked zone?

We know malicious programs attempting to access blocked sites would fail but what about when you attempt to access something you know to be legitimate? In these cases the connection would fail if it was within the blocked zone. A screen could easily be added for a web browser “this site falls within your blocked zone” with conceivably the option to allow adding it to the safe list.

It’s not perfect, how can we make it better?

I realize this solution is not perfect but I think the idea is a solid one. It introduces some new leverage to the information security problem. Ok Infosec pros, what would you do to make this an even better solution?

There are lots of layers to security and in all fairness I hold no technical information security certifications. I do know that the weakest link is usually the human being sitting at the keyboard. In this case someone at RSA – a security firm opened an Email that had just:

I forward this file to you for review. Please open and view it.

No signature, nothing, nada. It had an Excel file attached 2011 Recruitment plan. They opened it. They got infected by a zero day flash exploit embedded in the Excel file.

The RSA got “Owned”

I am frustrated because I know this happens every day all over the world and were it not so sad it would almost be laughable how easy it is to compromise computer systems. I could talk about all the apparatus that failed the RSA in this case, but in the interest of time I am going to focus on one:

Why did the RSA allow traffic to a known Malware site?

The site that the payload (Poison Ivy) contacted was mincesur.com which according to F-Secure:

“The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

WHAT?!?!?

Then why on earth is the RSA allowing it’s systems to access that site? I did an arin.net lookup for the IP address for mincesur.com (119.70.119.30):
I can understand a company like the RSA needing access to the APNIC space, though most of us do not. Specifically though, why would they route traffic to a address/domain that is known to be used in espionage attacks? Since we already established that the user failed to identify a threat what about the other devices and mechanisms in the transaction that occurred between the computer that was infected?

Touch #1 – DNS Lookup

When the Poison Ivy payload asked the DNS system what IP address micensur.com had, the DNS servers at RSA promptly gave them the known threat’s IP address. It is possible and useful to add records for known malicious domains to resolve to something harmless such as loopback 127.0.0.1 (basically the payload would try to connect to local machine itself). Failed.

Bonus info: This can even be over-ridden and handled by a hosts file on an individual computer. (An example is at Malwarehelp.org)

Touch #2 – Antivirus Software

Touch #3 – Router

One or more RSA Routers were touched in the process. Without a router a computer cannot communicate with systems outside of its own network. Routers can maintain black lists or null routes to avoid traffic coming from or going to known malicious sites. The router(s) in this case happily sent and received traffic from the known malicious host. Failed.

Touch #4 – Proxy Server (Optional)

Many companies use a proxy server or transparent proxy server to store copies of frequently accessed files to avoid them from having to be downloaded every time. A Proxy server can optionally be used to provide additional protection including domain based filtering. Since micensur.com was a known malware domain this could easily have been blocked by a proxy server. Failed.

Touch #5 – Intrusion Detection/Prevention Device (IDP – Optional)

These are usually definition based devices that look for traffic that matches a known malicious definition. Such as traffic coming from or going to a known malicious website. Failed.

Touch #6 – Firewall

Even many small companies have firewall hardware. Firewalls allow for much more complex rules about what kind of traffic can go where and even when. Firewalls are the ultimate traffic cops for networks. There are a number of ways that a properly configured firewall could have prevented this infection. Failed.

Is it time to re-prioritize?

With so many chances to block this from happening, how is it that a company like RSA, that is involved with security products is not better protecting themselves from threats? I’m sure they have made changes as a result but with a reputation for having things locked down, I find it excruciatingly curious that they allowed traffic to a known malicious site, don’t you?

In Joe's day job he helps manufacturers eliminate waste in their engineering, CNC programming and machining departments. He is currently 2018-2019 chair of the Sacramento Valley SME, an avid Maker and current Mechatronics student.